Enabling the guard means, that even legitimated login attempts will get rejected as long as account lock conditions are met. So an account is not reachable for the user while under attack. An admin could still log in (to a different account), check the source(s) of the malicious login attempts and stop them by other means to help the user restore access to his/her account.

143

142

144

See some example configurations it the [wiki:CookBook/AccountManagerPluginConfiguration#AccountLocking cookbook page] and look at screenshot series below to get an idea, how this looks like and is meant to work.